The vulnerability is located in the tomcat init script provided by affected packages, normally installed at /etc/init.d/tomcatN.
The script for tomcat7 contains the following lines:
# Run the catalina.sh script as a daemon set +e touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
Local attackers who have gained access to the server in the context of the tomcat user (for example, through a vulnerability in a web application) would be able to replace the log file with a symlink to an arbitrary system file and escalate their privileges to root once Tomcat init script (running as root) re-opens the catalina.out file after a service restart, reboot etc.
- Tomcat 8 <= 8.0.36-2
- Tomcat 7 <= 7.0.70-2
- Tomcat 6 <= 6.0.45+dfsg-1~deb8u1
Recommended action: Update to the latest tomcat packages provided by your distribution.